Generalized Robust Combiners for Oblivious Transfer
ABSTRACT A robust combiner for a cryptographic primitive gives a secure implementation of the primitive when at least some of the input candidates are secure. Such constructions provide robustness against insecure implementations and incorrect assumptions underlying the candidate schemes. Robust combiners are useful tools for ensuring better security in applied cryptography. Combiners from the perspective of threshold schemes have been previously studied. However, such threshold schemes typically fail to capture all possible scenarios. In this paper, we characterize the possibility of a transparent black-box combiner for oblivious transfer (OT), given an access structure over the candidate implementations. We also propose a circuit-based framework for the construction of such combiners, and hence reduce the problem of optimal OT combiners to circuit optimization.
- SourceAvailable from: psu.edu[show abstract] [hide abstract]
ABSTRACT: The security of cascade ciphers, in which by definition the keys of the component ciphers are independent, is considered. It is shown by a counterexample that the intuitive result, formally stated and proved in the literature, that a cascade is at least as strong as the strongest component cipher, requires the uninterestingly restrictive assumption that the enemy cannot exploit information about the plaintext statistics. It is proved, for very general notions of breaking a cipher and of problem difficulty, that a cascade is at least as difficult to break as the first component cipher. A consequence of this result is that if the ciphers commute, then a cascade is at least as difficult to break as the most-difficult-to-break component cipher, i.e., the intuition that a cryptographic chain is at least as strong as its strongest link is then provably correct. It is noted that additive stream ciphers do commute, and this fact is used to suggest a strategy for designing secure practical ciphers. Other applications in cryptology are given of the arguments used to prove the cascade cipher result.Journal of Cryptology 02/1993; 6(1):55-61. · 0.84 Impact Factor
Conference Proceeding: Chosen-Ciphertext Security of Multiple Encryption.[show abstract] [hide abstract]
ABSTRACT: Encryption of data using multiple, independent encryption schemes(\multipleencryption")hasbeensuggestedinavarietyofcon- texts, and can be used, for example, to protect against partial key ex- posure or cryptanalysis, or to enforce threshold access to data. Most prior work on this subject has focused on the security of multiple en- cryption against chosen-plaintext attacks, and has shown constructions secure in this sense based on the chosen-plaintext security of the com- ponent schemes. Subsequent work has sometimes assumed that these solutionsarealsosecureagainst chosen-ciphertext attacks whencompo- nent schemes with stronger security properties are used. Unfortunately, this intuition is false forall existing multiple encryption schemes. Here,inadditiontoformalizingtheproblemofchosen-ciphertextsecurity for multiple encryption, we give simple, e-cient, and generic construc- tionsofmultipleencryptionschemessecureagainstchosen-ciphertextat- tacks(basedon any componentschemessecureagainstsuchattacks)in thestandardmodel.Wealsogiveamoree-cientconstructionfromany (hierarchical)identity-basedencryptionschemesecureagainstselective- identity chosen plaintext attacks. Finally, we discuss a wide range of applications forourproposedschemes.Theory of Cryptography, Second Theory of Cryptography Conference, TCC 2005, Cambridge, MA, USA, February 10-12, 2005, Proceedings; 01/2005
Conference Proceeding: On the Impossibility of Efficiently Combining Collision Resistant Hash Functions.[show abstract] [hide abstract]
ABSTRACT: Let H1,H2 be two hash functions. We wish to construct a new hash function H that is collision resistant if at least one of H1 or H2 is collision resistant. Concatenating the output of H1 and H2 clearly works, but at the cost of doubling the hash output size. We ask whether a better construction exists, namely, can we hedge our bets without dou- bling the size of the output? We take a step towards answering this question in the negative — we show that any secure construction that evaluates each hash function once cannot output fewer bits than simply concatenating the given functions.Advances in Cryptology - CRYPTO 2006, 26th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20-24, 2006, Proceedings; 01/2006